Craig McClanahan writes:
>The strategy I follow is to store a username (or some User object) as a
session
>attribute when the user logs on, like this:
>
> HttpSession session = request.getSession();
> String username = ... whatever the username is ...
> session.setAttribute("user", username);
>
>Now on every request, I can check very simply whether the user is logged on
or
>not:
>
> HttpSession session = request.getSession();
> String username = (String) request.getAttribute("user");
> if (username == null) {
> ... the user is *not* logged on ...
> } else {
> ... the user *is* logged on ...
> }
[snip]
>* If the user comes back before the session has timed out,
> the "user" attribute will still be present.
>
>* If the session has timed out, a new session will be created
> by the logic above -- but the "user" attribute will be missing
> (because the user has not gone through your "login" yet).
> Typically, you would redirect them to the login page here.
If the user tries to bookmark a page inside the application,
so they can return at a later date without signing on (a no-no),
the symptom appears the same.
So the question I had was: how can I detect whether they tried this
"deep bookmark," or whether the session just timed out?
Thanks to the RequestHeaderExample servlet, I think I just found an
answer. The header "referer" appears to be set when the page is accessed
from a link, and contains the full URI of the original page. (The header
is not set if the new URI is entered directly.)
Thus, it appears the following will work (Apache 1.3.12 + Tomcat 3.2.1):
String referer = request.getHeader( "referer" );
if( referer == null || referer.toUpperCase.indexOf( "X.COM" ) < 0 ) {
... deep bookmark ...
} else {
... timeout ...
}
Is there a better way?
--Glenn, who should probably lurk longer before asking